[lug] creating client certs for apache

Hugh Brown hugh at math.byu.edu
Thu Sep 8 20:27:57 MDT 2005

On Thu, 2005-09-08 at 20:16 -0600, D. Stimits wrote:
> ...
> > Keys are in pairs - public, private. The public key is published
> > through the cert. The private is key used by the client to prove
> > that it is associated with the cert. The client key pairs are
> > unrelated to the CA or servers they might connect to. They are
> > not like physical keys used in door locks.
> > 
> > You create the key parirs and CSRs for the authorized clients. See
> > openssl genrsa and openssl req. Then you sign the CSRs with your
> > CA cert (i.e. the CA private key). After that you distribute
> > The CA cert, the client cert and client private key though a
> > secure channel.
> This is the part I don't want: I won't be distributing a server's 
> private key to anyone. But I am willing to sign public keys to be used 
> in web browsers and svn clients that will access the repository. The 
> question is, do I demand every person involved learn to create key pairs 
> and have them send me a key to sign...or can I just create a key pair 
> separate from the server, but signed by the self-CA of the server, and 
> give those out?

I think you misunderstand the previous post.  Let's simplify the
scenario to one server and one client.  There are 6 keys in total.

Certificate Authority private key
Certificate Authority public key
Web server private key
Web server public key
Client/browser private key
Client/browser public key

You create a certificate authority private/public key pair.  You create
a web server private/public key pair.  You create a certificate signing
request (csr) for the web server.  You sign that request with the
certificate authority private key.  You create a client/browser
private/public key pair.  You create a csr for the client key.  You sign
it with the CA private key.

Now you need to get the appropriate keys to the client.  The client will
need to receive both the client private/public keys.  The client will
also need the public key of the Certificate Authority and set the
browser/svn/whatever client to trust the public key of your CA.

The client browser will now be able to get to your website w/o the
"unknown certificate authority" warning.  You can use the client public
key to do your access control.

For each additional client, you can create a new certificate, do the
csr, sign it with your CA and send on the necessary keys.

> >>
> >> Now as far as apache goes, once I have the keys to be accepted, the 
> >> server is not hard to configure. My question is on configuration of 
> >> the mozilla end...mozilla wants a PKCS12 format, which I do not have 
> >> (and which will be needed regardless of whether I'm the one who 
> >> generates it, or if outside individuals generate their own). I assume 
> >> I have to do a conversion to this format, probably based on my cert, 
> >> and then send that out to everyone. My question now is whether this 
> >> assumption is correct, and if so, how do I generate a public key from 
> >> my server's cert (or from the server's private key) in PKCS12 format, 
> >> such that I can give it a name like "Repository X Developer"? Then I 
> >> could set up apache to allow access to repository named "X" if that 
> >> key is present. I could send out a "Repository Y Developer" key as 
> >> well and give them automatic access to the repository named "Y".
> > 
> > See openssl pkcs12 for format conversion. The cert files used by IE may
> > need to have a .crt extension.
> This conversion has been eluding me. What I get is a stuck openssh 
> process waiting for input.

man pkcs12  will get you to the man page for the openssl sub-command



More information about the LUG mailing list